Control: severity -1 serious On Thu, 19 Sep 2024 20:11:32 +0200 Helmut Grohne <[email protected]> wrote:
Source: binutils-mipsen Version: 12+c1 Severity: important Justification: violates policy 10.9 "should" Tags: securityMultiple binary packages built from binutils-mipsen have their files (including e.g. /, /usr, /usr/bin and /usr/bin/TOOL) owned by user "buildd" or user "sbuild". They really should be owned by root. Likely, dh_fixperms or something similar is missing here or a repacking step fails to reset ownership information back to root. This also poses a possible vulnerability. If there happens to be a user thus named on the system, they can modify tools below /usr/bin and thus escalate their privileges. Helmut
Using `dpkg-deb --root-owner-group --build ...` when assembling the deb should do.
Best regards, Niels
OpenPGP_signature.asc
Description: OpenPGP digital signature

